0

I am currently facing the problem that a linux machine running Ubuntu 10.04 LTS with samba and winbindd installed is unable to join a Domain, that is managed by a Windows 2008 DC.

The linux config, is probably alright, since I have successfully used it at multiple sites, running 2008 as well as 2003 DCs. The error I get ("libads/kerberos.c: Join to domain is not valid. Client credentials have been revoked"), indicates that there is a kerberos problem.

Normally the linux box is supposed to authenticate via NTLM and is configured that way. The only reason I can image why it tries kerberos is that the DC is forcing it.

Do you know whether there is any setting in the security policies of a window 2008 server, that would completely block NTLM, forcing kerberos? If so, where can I find this setting?

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
ftiaronsem
  • 278
  • 3
  • 10

2 Answers2

0

First off, check which version of NTLM is being required by Group Policy. Second, are the times on the machines in sync? Kerberos gets awfully wonky if the time on the client and server are significantly different.

Driftpeasant
  • 3,217
  • 2
  • 22
  • 28
  • the time on both machines is synced by ntp. Manual tests also show it to be perfectly in sync. What Group Policys are you referring too? The only one I know of is the LanManagerAuthenticationLevel, which is set to LM&NTLM - use NTLMv2 session security if negotiated. If you know any other I could check those. Thanks in advance – ftiaronsem Nov 16 '11 at 17:31
0

NTLM is disabled by default in Vista/2008 and 2008R2/win7, its less secure, although you can enable the use of NTLM using GPO.

Usually when doing an net ads join, it is using kerberos instead of NTLM. I would check your /etc/krb5.conf

this may also be of some help concerning the specific error you're getting http://technet.microsoft.com/en-us/library/bb463167.aspx

    Clients’ credentials have been revoked while getting initial credentials
    Application/Function: kinit

    Potential Causes and Solution: 
    Can indicate that the user's account is locked or expired (account expired, not password expired).
Steve Butler
  • 1,016
  • 9
  • 19
  • Thanks for your effort. Kerberos is not installed on the machines I were joining into the domains. I just checked and there is no krb5.conf. However such a setup has worked multiple times for me. An expired user account is unlikely since the machine was joined with the administrator account ^^. As for the GroupPolicies I have set the LanManagerAuthenticationLeve to LM&NTLM - use NTLMv2 session security if negotiated. Are there any other Policies I have to adapt? – ftiaronsem Nov 16 '11 at 17:36